1.\"- 2.\" Copyright (c) 2005-2017 Dag-Erling Smørgrav 3.\" All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 1. Redistributions of source code must retain the above copyright 9.\" notice, this list of conditions and the following disclaimer. 10.\" 2. Redistributions in binary form must reproduce the above copyright 11.\" notice, this list of conditions and the following disclaimer in the 12.\" documentation and/or other materials provided with the distribution. 13.\" 3. The name of the author may not be used to endorse or promote 14.\" products derived from this software without specific prior written 15.\" permission. 16.\" 17.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 18.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 21.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27.\" SUCH DAMAGE. 28.\" 29.Dd June 27, 2023 30.Dt PAM.CONF 5 31.Os 32.Sh NAME 33.Nm pam.conf 34.Nd PAM policy file format 35.Sh DESCRIPTION 36The PAM library searches for policies in the following files, in 37decreasing order of preference: 38.Bl -enum 39.It 40.Pa /etc/pam.d/ Ns Ar service-name 41.It 42.Pa /etc/pam.conf 43.It 44.Pa /usr/local/etc/pam.d/ Ns Ar service-name 45.It 46.Pa /usr/local/etc/pam.conf 47.El 48.Pp 49If none of these locations contains a policy for the given service, 50the 51.Dq Dv other 52policy is used instead, if it exists. 53.Pp 54Entries in per-service policy files must be of one of the two forms 55below: 56.Bd -unfilled -offset indent 57.Ar facility control-flag module-path Op Ar arguments ... 58.Ar facility Cm include Ar other-service-name 59.Ed 60.Pp 61Entries in 62.Pa pam.conf Ns -style 63policy files are of the same form, but are prefixed by an additional 64field specifying the name of the service they apply to. 65.Pp 66In both cases, blank lines and comments introduced by a 67.Ql # 68sign are ignored, and the normal shell quoting rules apply. 69The precise details of how the file is tokenized are described in 70.Xr openpam_readword 3 . 71.Pp 72The 73.Ar facility 74field specifies the facility the entry applies to, and is one of: 75.Bl -tag -width 12n 76.It Cm auth 77Authentication functions 78.Po 79.Xr pam_authenticate 3 , 80.Xr pam_setcred 3 81.Pc 82.It Cm account 83Account management functions 84.Pq Xr pam_acct_mgmt 3 85.It Cm session 86Session handling functions 87.Po 88.Xr pam_open_session 3 , 89.Xr pam_close_session 3 90.Pc 91.It Cm password 92Password management functions 93.Pq Xr pam_chauthtok 3 94.El 95.Pp 96The 97.Ar control-flag 98field determines how the result returned by the module affects the 99flow of control through (and the final result of) the rest of the 100chain, and is one of: 101.Bl -tag -width 12n 102.It Cm required 103If this module succeeds, the result of the chain will be success 104unless a later module fails. 105If it fails, the rest of the chain still runs, but the final result 106will be failure regardless of the success of later modules. 107.It Cm requisite 108If this module succeeds, the result of the chain will be success 109unless a later module fails. 110If the module fails, the chain is broken and the result is failure. 111.It Cm sufficient 112If this module succeeds, the chain is broken and the result is 113success. 114If it fails, the rest of the chain still runs, but the final result 115will be failure unless a later module succeeds. 116.It Cm binding 117If this module succeeds, the chain is broken and the result is 118success. 119If it fails, the rest of the chain still runs, but the final result 120will be failure regardless of the success of later modules. 121.It Cm optional 122If this module succeeds, the result of the chain will be success 123unless a later module fails. 124If this module fails, the result of the chain will be failure unless a 125later module succeeds. 126.El 127.Pp 128There are two exceptions to the above: 129.Cm sufficient 130and 131.Cm binding 132modules are treated as 133.Cm optional 134by 135.Xr pam_setcred 3 , 136and in the 137.Dv PAM_PRELIM_CHECK 138phase of 139.Xr pam_chauthtok 3 . 140.Pp 141The 142.Ar module-path 143field specifies the name or full path of the module to call. 144If only the name is specified, the PAM library will search for it in 145the following locations: 146.Bl -enum 147.It 148.Pa /usr/lib 149.It 150.Pa /usr/local/lib 151.El 152.Pp 153The remaining fields, if any, are passed unmodified to the module if 154and when it is invoked. 155.Pp 156The 157.Cm include 158form of entry causes entries from a different chain (specified by 159.Ar other-system-name ) 160to be included in the current one. 161This allows one to define system-wide policies which are then included 162into service-specific policies. 163The system-wide policy can then be modified without having to also 164modify each and every service-specific policy. 165.Pp 166.Bf -symbolic 167Take care not to introduce loops when using 168.Cm include 169rules, as there is currently no loop detection in place. 170.Ef 171.Sh MODULE OPTIONS 172Some PAM library functions may alter their behavior when called by a 173service module if certain module options were specified, regardless of 174whether the module itself accords them any importance. 175One such option is 176.Cm debug , 177which causes the dispatcher to enable debugging messages before 178calling each service function, and disable them afterwards (unless 179they were already enabled). 180Other special options include: 181.Bl -tag -width 12n 182.It Cm authtok_prompt Ns = Ns Ar prompt , Cm oldauthtok_prompt Ns = Ns Ar prompt , Cm user_prompt Ns = Ns Ar prompt 183These options can be used to override the prompts used by 184.Xr pam_get_authtok 3 185and 186.Xr pam_get_user 3 . 187.It Cm echo_pass 188This option controls whether 189.Xr pam_get_authtok 3 190will allow the user to see what they are typing. 191.It Cm try_first_pass , Cm use_first_pass 192These options control 193.Xr pam_get_authtok 3 Ns 's 194use of cached authentication tokens. 195.El 196.Sh SEE ALSO 197.Xr pam 3 198.Sh STANDARDS 199.Rs 200.%T "X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules" 201.%D "June 1997" 202.Re 203.Sh AUTHORS 204The OpenPAM library was developed for the 205.Fx 206Project by ThinkSec AS and Network Associates Laboratories, the 207Security Research Division of Network Associates, Inc.\& under 208DARPA/SPAWAR contract N66001-01-C-8035 209.Pq Dq CBOSS , 210as part of the DARPA CHATS research program. 211.Pp 212The OpenPAM library is maintained by 213.An Dag-Erling Sm\(/orgrav Aq Mt des@des.no . 214